From owner-freebsd-arch Wed Nov 24 14:34:15 1999 Delivered-To: freebsd-arch@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 4F6B214BDA for ; Wed, 24 Nov 1999 14:34:12 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id XAA10589 for ; Wed, 24 Nov 1999 23:33:05 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id XAA36420 for freebsd-arch@freebsd.org; Wed, 24 Nov 1999 23:33:05 +0100 (MET) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 6C4A714FD9; Wed, 24 Nov 1999 14:32:54 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.9.3/8.9.1) with ESMTP id RAA21036; Wed, 24 Nov 1999 17:31:30 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <199911242231.RAA21036@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Rodney W. Grimes" Cc: ahl@austclear.com.au (Tony Landells), ipfw@freebsd.org, arch@freebsd.org From: "Louis A. Mamakos" Subject: Re: new IPFW References: <199911242208.OAA46490@gndrsh.dnsmgr.net> In-reply-to: Your message of "Wed, 24 Nov 1999 14:08:47 PST." <199911242208.OAA46490@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 17:31:30 -0500 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > [ using BPF for ipfw ] > > > > One concern I would have with that is that there are a lot of tools > > built on BPF that I would prefer to not be able to run on the firewall. > > > > Well, to be more accurate, I'd love to be able to run them on the > > firewall, but I don't want attackers to have access to them, and > > the safest option is to not even have support in the kernel for them > > (I can always plug in a separate sniffer if I really need it). > > Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping > routings that actually get packets to/from the cards is in net/bpf.c. > > I din't mean to imply that the filtering should be done using the /dev/bpf > interface, just that the engine code for filtering could be reused. I've actually used the BFP engine for just such an application. It was on another platform (NeXTSTEP), and it was sorta a netgraph-like system, but all in user space. I used a BPF-based engine for such things as "firewall" type filtering, as well as classifing traffic for dial-on-demand and idle-timeout reset. It worked quite well. The one extension which would be valuable is more an extension of the BPF expression compiler rather than the engine itself; if would be valuable to be able to return a value from the BPF-engine program so that it could be acted on. The engine itself has this capability, but the existing tcpdump intended expression compiler doesn't currently have syntax to support it. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message